An error occurred:

Check: WN12-CC-000116

Microsoft Windows Server 2012/2012 R2 Member Server STIG: WN12-CC-000116 (in versions v3 r7 through v2 r7)

Title

The Windows Installer Always install with elevated privileges option must be disabled. (Cat I impact)

Discussion

Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0

Fix Text

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Always install with elevated privileges" to "Disabled".

Additional Identifiers

Rule ID: SV-225390r852223_rule

Vulnerability ID: V-225390

Group Title: SRG-OS-000362-GPOS-00149

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001812

The information system prohibits user installation of software without explicit privileged status.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-11 (2)

Prohibit Installation Without Privileged Status